Skip to content

Commit

Permalink
Merge pull request #1214 from Mbed-TLS/mbedtls-2.28.8rc0-pr
Browse files Browse the repository at this point in the history
Mbedtls 2.28.8 Release Candidate
  • Loading branch information
minosgalanakis authored Mar 22, 2024
2 parents f438f8f + c58cb59 commit 5a764e5
Show file tree
Hide file tree
Showing 53 changed files with 3,956 additions and 221 deletions.
52 changes: 52 additions & 0 deletions ChangeLog
Original file line number Diff line number Diff line change
@@ -1,5 +1,57 @@
Mbed TLS ChangeLog (Sorted per branch, date)

= Mbed TLS 2.28.8 branch released 2024-03-28

Features
* AES-NI is now supported in Windows builds with clang and clang-cl.
Resolves #8372.
* Add pc files for pkg-config, e.g.:
pkg-config --cflags --libs (mbedtls|mbedcrypto|mbedx509)

Security
* Passing buffers that are stored in untrusted memory as arguments
to PSA functions is now secure by default.
The PSA core now protects against modification of inputs or exposure
of intermediate outputs during operations. This is currently implemented
by copying buffers.
This feature increases code size and memory usage. If buffers passed to
PSA functions are owned exclusively by the PSA core for the duration of
the function call (i.e. no buffer parameters are in shared memory),
copying may be disabled by setting MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS.
Note that setting this option will cause input-output buffer overlap to
be only partially supported (#3266).
Fixes CVE-2024-28960.

Bugfix
* Fix the build with CMake when Everest is enabled through
a user configuration file or the compiler command line. Fixes #8165.
* Fix an inconsistency between implementations and usages of `__cpuid`,
which mainly causes failures when building Windows target using
mingw or clang. Fixes #8334 & #8332.
* Correct initial capacities for key derivation algorithms: TLS12_PRF,
TLS12_PSK_TO_MS.
* Fix mbedtls_pk_get_bitlen() for RSA keys whose size is not a
multiple of 8. Fixes #868.
* Avoid segmentation fault caused by releasing not initialized
entropy resource in gen_key example. Fixes #8809.
* Fix missing bitflags in SSL session serialization headers. Their absence
allowed SSL sessions saved in one configuration to be loaded in a
different, incompatible configuration.
* Fix the restoration of the ALPN when loading serialized connection with
the mbedtls_ssl_context_load() API.
* Fully support arbitrary overlap between inputs and outputs of PSA
functions. Note that overlap is still only partially supported when
MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS is set (#3266).

Changes
* Use heap memory to allocate DER encoded public/private key.
This reduces stack usage significantly for writing a public/private
key to a PEM string.
* cmake: Use GnuInstallDirs to customize install directories
Replace custom LIB_INSTALL_DIR variable with standard CMAKE_INSTALL_LIBDIR
variable. For backward compatibility, set CMAKE_INSTALL_LIBDIR if
LIB_INSTALL_DIR is set.

= Mbed TLS 2.28.7 branch released 2024-01-26

Security
Expand Down
3 changes: 0 additions & 3 deletions ChangeLog.d/8372.txt

This file was deleted.

5 changes: 0 additions & 5 deletions ChangeLog.d/cmake_use_GnuInstallDirs.txt

This file was deleted.

3 changes: 0 additions & 3 deletions ChangeLog.d/fix-alpn-negotiating-bug.txt

This file was deleted.

3 changes: 0 additions & 3 deletions ChangeLog.d/fix-cmake-3rdparty-custom-config.txt

This file was deleted.

4 changes: 0 additions & 4 deletions ChangeLog.d/fix-mingw32-build.txt

This file was deleted.

4 changes: 0 additions & 4 deletions ChangeLog.d/fix-ssl-session-serialization-config.txt

This file was deleted.

3 changes: 0 additions & 3 deletions ChangeLog.d/fix_kdf_incorrect_initial_capacity.txt

This file was deleted.

3 changes: 0 additions & 3 deletions ChangeLog.d/gen-key-segfault.txt

This file was deleted.

3 changes: 0 additions & 3 deletions ChangeLog.d/license.txt

This file was deleted.

3 changes: 0 additions & 3 deletions ChangeLog.d/pkg-config-files-addition.txt

This file was deleted.

4 changes: 0 additions & 4 deletions ChangeLog.d/pkwrite-pem-use-heap.txt

This file was deleted.

3 changes: 0 additions & 3 deletions ChangeLog.d/rsa-bitlen.txt

This file was deleted.

2 changes: 1 addition & 1 deletion doxygen/input/doc_mainpage.h
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
*/

/**
* @mainpage Mbed TLS v2.28.7 API Documentation
* @mainpage Mbed TLS v2.28.8 API Documentation
*
* This documentation describes the internal structure of Mbed TLS. It was
* automatically generated from specially formatted comment blocks in
Expand Down
2 changes: 1 addition & 1 deletion doxygen/mbedtls.doxyfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
PROJECT_NAME = "Mbed TLS v2.28.7"
PROJECT_NAME = "Mbed TLS v2.28.8"
OUTPUT_DIRECTORY = ../apidoc/
FULL_PATH_NAMES = NO
OPTIMIZE_OUTPUT_FOR_C = YES
Expand Down
20 changes: 20 additions & 0 deletions include/mbedtls/config.h
Original file line number Diff line number Diff line change
Expand Up @@ -1570,6 +1570,26 @@
*/
//#define MBEDTLS_PSA_INJECT_ENTROPY

/**
* \def MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS
*
* Assume all buffers passed to PSA functions are owned exclusively by the
* PSA function and are not stored in shared memory.
*
* This option may be enabled if all buffers passed to any PSA function reside
* in memory that is accessible only to the PSA function during its execution.
*
* This option MUST be disabled whenever buffer arguments are in memory shared
* with an untrusted party, for example where arguments to PSA calls are passed
* across a trust boundary.
*
* \note Enabling this option reduces memory usage and code size.
*
* \note Enabling this option causes overlap of input and output buffers
* not to be supported by PSA functions.
*/
//#define MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS

/**
* \def MBEDTLS_RSA_NO_CRT
*
Expand Down
8 changes: 4 additions & 4 deletions include/mbedtls/version.h
Original file line number Diff line number Diff line change
Expand Up @@ -26,16 +26,16 @@
*/
#define MBEDTLS_VERSION_MAJOR 2
#define MBEDTLS_VERSION_MINOR 28
#define MBEDTLS_VERSION_PATCH 7
#define MBEDTLS_VERSION_PATCH 8

/**
* The single version number has the following structure:
* MMNNPP00
* Major version | Minor version | Patch version
*/
#define MBEDTLS_VERSION_NUMBER 0x021C0700
#define MBEDTLS_VERSION_STRING "2.28.7"
#define MBEDTLS_VERSION_STRING_FULL "Mbed TLS 2.28.7"
#define MBEDTLS_VERSION_NUMBER 0x021C0800
#define MBEDTLS_VERSION_STRING "2.28.8"
#define MBEDTLS_VERSION_STRING_FULL "Mbed TLS 2.28.8"

#if defined(MBEDTLS_VERSION_C)

Expand Down
10 changes: 6 additions & 4 deletions library/CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -204,15 +204,15 @@ endif(USE_STATIC_MBEDTLS_LIBRARY)
if(USE_SHARED_MBEDTLS_LIBRARY)
set(CMAKE_LIBRARY_PATH ${CMAKE_CURRENT_BINARY_DIR})
add_library(${mbedcrypto_target} SHARED ${src_crypto})
set_target_properties(${mbedcrypto_target} PROPERTIES VERSION 2.28.7 SOVERSION 7)
set_target_properties(${mbedcrypto_target} PROPERTIES VERSION 2.28.8 SOVERSION 7)
target_link_libraries(${mbedcrypto_target} PUBLIC ${libs})

add_library(${mbedx509_target} SHARED ${src_x509})
set_target_properties(${mbedx509_target} PROPERTIES VERSION 2.28.7 SOVERSION 1)
set_target_properties(${mbedx509_target} PROPERTIES VERSION 2.28.8 SOVERSION 1)
target_link_libraries(${mbedx509_target} PUBLIC ${libs} ${mbedcrypto_target})

add_library(${mbedtls_target} SHARED ${src_tls})
set_target_properties(${mbedtls_target} PROPERTIES VERSION 2.28.7 SOVERSION 14)
set_target_properties(${mbedtls_target} PROPERTIES VERSION 2.28.8 SOVERSION 14)
target_link_libraries(${mbedtls_target} PUBLIC ${libs} ${mbedx509_target})
endif(USE_SHARED_MBEDTLS_LIBRARY)

Expand All @@ -226,7 +226,9 @@ foreach(target IN LISTS target_libraries)
PUBLIC ${MBEDTLS_DIR}/include/
PUBLIC ${thirdparty_inc_public}
PRIVATE ${MBEDTLS_DIR}/library/
PRIVATE ${thirdparty_inc})
PRIVATE ${thirdparty_inc}
# Needed to include psa_crypto_driver_wrappers.h
${CMAKE_CURRENT_BINARY_DIR})
target_compile_definitions(${target}
PRIVATE ${thirdparty_def})
# Pass-through MBEDTLS_CONFIG_FILE and MBEDTLS_USER_CONFIG_FILE
Expand Down
6 changes: 3 additions & 3 deletions library/gcm.c
Original file line number Diff line number Diff line change
Expand Up @@ -241,7 +241,7 @@ int mbedtls_gcm_starts(mbedtls_gcm_context *ctx,
uint64_t iv_bits;

GCM_VALIDATE_RET(ctx != NULL);
GCM_VALIDATE_RET(iv != NULL);
GCM_VALIDATE_RET(iv_len == 0 || iv != NULL);
GCM_VALIDATE_RET(add_len == 0 || add != NULL);

/* IV and AD are limited to 2^64 bits, so 2^61 bytes */
Expand Down Expand Up @@ -433,7 +433,7 @@ int mbedtls_gcm_crypt_and_tag(mbedtls_gcm_context *ctx,
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;

GCM_VALIDATE_RET(ctx != NULL);
GCM_VALIDATE_RET(iv != NULL);
GCM_VALIDATE_RET(iv_len == 0 || iv != NULL);
GCM_VALIDATE_RET(add_len == 0 || add != NULL);
GCM_VALIDATE_RET(length == 0 || input != NULL);
GCM_VALIDATE_RET(length == 0 || output != NULL);
Expand Down Expand Up @@ -470,7 +470,7 @@ int mbedtls_gcm_auth_decrypt(mbedtls_gcm_context *ctx,
int diff;

GCM_VALIDATE_RET(ctx != NULL);
GCM_VALIDATE_RET(iv != NULL);
GCM_VALIDATE_RET(iv_len == 0 || iv != NULL);
GCM_VALIDATE_RET(add_len == 0 || add != NULL);
GCM_VALIDATE_RET(tag != NULL);
GCM_VALIDATE_RET(length == 0 || input != NULL);
Expand Down
Loading

0 comments on commit 5a764e5

Please sign in to comment.